Document ID: 13621
For Public Release 2001 October 10
This is not a Cisco Security Advisory.
There is a vulnerability in how Cisco routers and switches are handling Cisco Discovery Protocol (CDP). By sending a large amount of CDP neighbor announcements, it is possible to consume all of an available devices's memory, causing a crash or some other abnormal behavior. This vulnerability is assigned the Cisco bug ID CSCdu09909 (registered customers only) for Cisco IOS, and CSCdv57576 (registered customers only) for CatOS. This vulnerability was discovered by firstname.lastname@example.org.
All releases, prior fixed releases, of IOS and CatOS are vulnerable. All Catalyst models are vulnerable.
To follow the bug ID links below and see detailed bug information, you must be a registered user and you must be logged in.
In order to trigger this vulnerability, an attacker must be on the same segment as the target device. This vulnerability can not be exploited over the Internet unless an attacker has a helper program already planted on the internal network.
The workaround for this vulnerability is to disable CDP. CDP can be disabled either for the whole device or on a selected links. In order to disable CDP for the whole router, execute the following global command:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# no cdp run
Alternatively, CDP can be disabled on a particular interface. This can be done using the following commands:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface Ethernet0 Router(config-if)# no cdp enable
To disable CDP for the whole Catalyst, execute the following command:
Console> (enable) set cdp disable
Alternatively, CDP can be disabled on a particular interface. In this example CDP is disabled for the port 23 on a module 1:
Console> (enable) set cdp disable 1/23
In this particular case, Cisco Systems advises all customers to disable CDP for the whole device. If you must keep CDP running for any purpose then you should consider disabling it on all interfaces/ports that are facing host farms or outward of your administrative domain (for example, toward an upstream Internet Service Provider (ISP) or xdigital subscriber line (xDSL) customers).
This vulnerability has been fixed in the following interim Cisco IOS® Software releases:
All later Cisco IOS releases should contain this fix.
Please note that interim images are built at regular intervals between maintenance releases and receive less testing. Interim images should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without an earlier arrangement with the Cisco Systems Technical Support.
At this moment Cisco Systems does not have estimated dates when fixed versions of CatOS will be available.
Cisco Systems would like to thank Phenoelit on his cooperation on this issue.
Initial public release.
Added information about Catalyst.
|Updated: Oct 12, 2001||Document ID: 13621|